Monday, February 25, 2019

Daily Blog #631: Elcomsoft IOS Toolkit and IOS 12

Hello Reader,
        If you haven't already heard Elcomsoft had updated their IOS Forensic Toolkit recently, you can check it out here: https://www.elcomsoft.com/eift.html. We got a license and tested it out and what we found is that:
A. It does not ship with any rootless jailbreaks
B. It does not automate the process of installing rootless jailbreaks
C. It does not do a physical image of the device

What it does do though is provide you a list of tested Jailbreaks (rooted and rootless) that you can install on an iOS device. Once the jailbreak is installed you can then use the Elcomsoft iOS Forensic Toolkit to decrypt the keycahin and most importantly get a full file system dump. We've tested this on an iPhone running IOS 12 and I can confirm that all the hidden and system directories we missed were included.

This includes not only FSEvents data but also the KnowledgeC databases that Sarah Edwards has been blogging about. We attached the same rootless jailbroken phone to Celebrite and it did not detect the presence of the jailbreak and so did not allow for a full filesystem dump.

While I'm sure this will be fixed in the never ending mobile forensics arm race in the near future its a point towards Elcomsoft this round.

Though I do have to wonder, if we could just dump a tar of the phones contents after applying the jailbreak ourselves without using Elcomsoft at all. This will be tomorrows testing along with a write up this week of our process for doing so.

3 comments:

  1. Hi David,

    Thanks for reviewing out Toolkit!

    Yes, you actually CAN create rhe .tar without any third party software - you only need to be familiar with ssh and tar. Just make sure that device does not lock durjng the acquisition, otherwise some file will not copy. So you have to disable auto-lock feature, or (if it is not possible, e.g. for some managed devices) touch the screen regularly. Or use the Toolkit that solves this problem :)

    Also, please pay attention ti keychain decription - thag is what you cannot do manually. We do decrupt all the items, including ones with ThisDeviceOnly attribute (so not available from backup). A lot of interesting things there :)

    ReplyDelete
  2. Hi Vladimir!,
    Glad to see you are still active and around. I'd love to have you come on the podcast again and talk about Elcomsoft's work on this and where all the special magic is in the process!

    ReplyDelete
  3. Yep, I am here almost 24/7 :)

    Will be more than happy to join your podcast and run as deep into the details as needed!

    ReplyDelete